Current near field communication (NFC) systems rely on a hardware component commonly referred to as a “secure element” or a “secure memory” installed on communication devices to provide a secure operating environment for financial transactions, transit ticketing, identification and authentication, physical security access, and other functions. A secure element generally includes its own operating environment with a tamper-proof microprocessor, memory, and operating system. An NFC controller receives a payment request message from a merchant's point of sale (POS) system and transmits the message to the secure element for processing. A trusted service manager (TSM), or other form of secure service provider, can, among other things, install, provision, and personalize applications and data in the secure element. The secure element has one or more access keys that are typically installed at time of manufacture. A corresponding key is shared by the TSM so that the TSM can establish a cryptographically secure channel to the secure element for installation, provisioning, and personalization of the secure element while the device having the secure element is in the possession of an end user. In this way, the secure element can remain secure even if the host CPU in the device has been compromised.
One deficiency with current NFC systems is that a tight coupling exists between the secure element and the TSM. For current deployments, only one TSM has access to the keys of a particular secure element. Therefore, the end user can choose to provision secure element features that are supplied by the one TSM only. The manufacturer of the device typically chooses this TSM. For example, a smart phone manufacturer may select the TSM for smart phones under guidance from a mobile network operator (MNO), such as Phone Company A, that purchases the smart phone rather than the end user. Thus, the TSM features available to the end user may not be in the end user's interest. As an example, the MNO may have a business relationship with only one payment provider, such as Bank X. That TSM may allow the secure element to be provisioned with payment instructions from the one payment provider only. Thus, the end user would not be able to access services from other payment providers, such as Bank Z.